HEAD Request Anatomy.
The HEAD requests are defined under HTTP/1.0 and HTTP/1.1 specifications.The message body is not returned
in HEAD requests. The HEAD request is considered as optimized when the penetration tester has to work around
with different type of web servers.I have been dealt with this issue and after testing and analysing a lot I
have found different versions of web servers show specific response with crafted HEAD request. We are going
to look it into by practical layout and will analyse result based on it.
Reference Statement : Clearly, since HTTP/1.0 clients will not send Host headers, HTTP/1.1 servers cannot
simply reject all messages without them. However, the HTTP/1.1 specification requires that an HTTP/1.1 server
must reject any HTTP/1.1 message that does not contain a Host header."
Link : Key Differences Between HTTP/1.0 and HTTP/1.1
I am testing it with Rogue HEAD request with Metacharacters. It work for me always.
HTTP 1.0 do not require a HOST specifier to be set.So we are using HTTP 1.0 specification for testing.
Even If some one wants to use HTTP 1.1 , still its not going to make much difference. The only difference is
a host must be set. We are going to look first [Apache 1.3.33 and Apache/2.2.3]
[Target A]
D:\tools>nc 172.31.2.3 80
HEAD /\~!@#$%^&* HTTP/1.0
HTTP/1.1 404 Not Found
Date: Sat, 22 Sep 2007 12:18:22 GMT
Server: Apache/1.3.33 (Darwin) PHP/4.4.7
D:\tools>nc 172.31.2.3 80
HEAD / \~!@#$%^&* HTTP/1.0
HTTP/1.1 400 Bad Request
Date: Sat, 22 Sep 2007 12:18:42 GMT
Server: Apache/1.3.33 (Darwin) PHP/4.4.7
[Target B]
D:\tools>nc 172.31.1.11 80
HEAD /\~!@#$%^&* HTTP/1.0
HTTP/1.1 404 Not Found
Date: Sat, 22 Sep 2007 12:11:40 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch7
D:\tools>nc 172.31.1.11 80
HEAD / \~!@#$%^&* HTTP/1.0
HTTP/1.1 302 Found
Date: Sat, 22 Sep 2007 12:11:53 GMT
Server: Apache/2.2.3 (Debian) PHP/5.2.0-8+etch7
Webserver = Apache 2.2.3(Debian)
So if one look clearly then with a certain change in HEAD request the response changes.As you can find very easily.
the HTTP specifications are perfectly undertaken with no change in response.One can dissect easily the different behavior of
Apache versions with different HEAD requests.
[Target C]
D:\tools>nc 172.31.1.33 80
HEAD / \~!@#$%^&* HTTP/1.0
HTTP/1.1 302 Found
Date: Sat, 22 Sep 2007 13:46:32 GMT
Server: Apache/2.0.52 (Fedora)
X-Powered-By: PHP/4.3.9
D:\tools>nc 172.31.1.33 80
HEAD /\~!@#$%^&* HTTP/1.0
HTTP/1.1 404 Not Found
Date: Sat, 22 Sep 2007 13:46:54 GMT
Server: Apache/2.0.52 (Fedora)
Webserver = Apache/2.0.52 (Fedora)
[Target D]
D:\tools>nc 172.31.1.30 80
HEAD /\~!@#$%^&* HTTP/1.0
HTTP/1.1 404 Not Found
Date: Sat, 22 Sep 2007 14:12:18 GMT
Server: Apache/2.0.54 (Linux/SUSE)
D:\tools>nc 172.31.1.30 80
HEAD / \~!@#$%^&* HTTP/1.0
HTTP/1.1 200 OK
Date: Sat, 22 Sep 2007 14:12:29 GMT
Server: Apache/2.0.54 (Linux/SUSE)
Webserver = Apache/2.0.54 (Linux/SUSE)
This clearly disseminates the diiferent response from Apache 2.x.x and 1.x.x. It works almost everywhere in same manner.
So can be easily fingerprint even if Bannerc can not be grabbed.
[Target E]
D:\tools>nc 172.31.2.4 80
HEAD / \~!@#$%^&* HTTP/1.0
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.1
Date: Sat, 22 Sep 2007 14:26:20 GMT
D:\tools>nc 172.31.2.4 80
HEAD /\~!@#$%^&* HTTP/1.0
HTTP/1.1 404 Object Not Found
Server: Microsoft-IIS/5.1
Date: Sat, 22 Sep 2007 14:26:30 GMT
Webserver = Microsoft-IIS/5.1
Again you can find how the response changes from 400 Bad Request to 404 Object Not Found. Mainly IIS server shows this
type of response.
[Target F]
D:\tools>nc 172.19.5.122 80
HEAD /\~!@#$%^&* HTTP/1.0
HTTP/1.1 404 Not Found
Date: Fri, 28 Sep 2007 08:19:07 GMT
Server: Apache/2.2.0 (Win32) DAV/2 mod_ssl/2.2.0 OpenSSL/0.9.8a mod_autoindex_color PHP/5.1.2
D:\tools>nc 172.19.5.122 80
HEAD / \~!@#$%^&* HTTP/1.0
HTTP/1.1 200 OK
Date: Fri, 28 Sep 2007 08:19:16 GMT
Server: Apache/2.2.0 (Win32) DAV/2 mod_ssl/2.2.0 OpenSSL/0.9.8a mod_autoindex_color PHP/5.1.2
X-Powered-By: PHP/5.1.2
Webserver = Apache/2.2.0 (Win32) DAV/2
[Target G]
D:\tools>nc 172.31.1.3 8080
HEAD / \~!@#$%^&* HTTP/1.0
HTTP/1.0 403 Forbidden
Server: squid/2.5.STABLE12
D:\tools>
D:\tools>nc 172.31.1.3 8080
HEAD /\~!@#$%^&* HTTP/1.0
HTTP/1.0 403 Forbidden
Server: squid/2.5.STABLE12
So most of the time you can fingerprint web servers with strange requests.The Referenced statement is proved right.